valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9c44bb04a7
SigmaHQ/rules/windows/sysmon
History
Thomas Patzke 6440bc962b CACTUSTORCH detection
2019-02-01 23:27:53 +01:00
..
sysmon_ads_executable.yml Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
sysmon_attrib_hiding_files.yml Escaped * where required 2018-08-10 13:53:08 +02:00
sysmon_bitsadmin_download.yml ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
sysmon_bypass_squiblytwo.yml Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
sysmon_cactustorch.yml CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
sysmon_cmdkey_recon.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_cmstp_com_object_access.yml Update sysmon_cmstp_com_object_access.yml 2018-10-09 19:03:30 -05:00
sysmon_cmstp_execution.yml Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
sysmon_cobaltstrike_process_injection.yml rule: Cobalt Strike beacon detection via Remote Threat Creation 2018-11-30 10:25:05 +01:00
sysmon_dhcp_calloutdll.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_dns_serverlevelplugindll.yml Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
sysmon_exploit_cve_2015_1641.yml Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
sysmon_exploit_cve_2017_0261.yml Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
sysmon_exploit_cve_2017_8759.yml Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
sysmon_exploit_cve_2017_11882.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_ghostpack_safetykatz.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_lethalhta.yml style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
sysmon_logon_scripts_userinitmprlogonscript.yml Rule: UserInitMprLogonScript persistence method 2019-01-12 12:03:36 +01:00
sysmon_mal_namedpipes.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_malware_backconnect_ports.yml Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
sysmon_malware_script_dropper.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_malware_verclsid_shellcode.yml Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
sysmon_mimikatz_detection_lsass.yml ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
sysmon_mimikatz_inmemory_detection.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_mshta_spawn_shell.yml ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
sysmon_office_shell.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_password_dumper_lsass.yml ATT&CK tagging 2018-07-17 23:58:11 +02:00
sysmon_plugx_susp_exe_locations.yml Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
sysmon_powershell_amsi_bypass.yml Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
sysmon_powershell_dll_execution.yml style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
sysmon_powershell_download.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_powershell_exploit_scripts.yml Add ATT&CK Matrix tags 2018-08-22 09:30:55 -05:00
sysmon_powershell_network_connection.yml Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
sysmon_powershell_renamed_ps.yml Rule: Renamed PowerShell.exe 2019-01-12 12:03:36 +01:00
sysmon_powershell_suspicious_parameter_variation.yml Improve Rule & Updated HELK SIGMA Standardization Config 2018-12-08 11:30:21 +03:00
sysmon_powersploit_schtasks.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_quarkspw_filedump.yml Various rule fixes 2018-03-27 14:35:49 +02:00
sysmon_rundll32_net_connections.yml Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
sysmon_sdbinst_shim_persistence.yml Fixed tag and date 2018-08-07 08:22:11 +02:00
sysmon_shell_spawn_susp_program.yml fix: fixed date in rule 2018-10-10 15:27:58 +02:00
sysmon_stickykey_like_backdoor.yml Fixed tag 2018-07-24 07:58:25 +02:00
sysmon_susp_certutil_command.yml rule: extended certutil rule to include verifyctl and allows renamed certutil 2019-01-22 16:20:06 +01:00
sysmon_susp_cmd_http_appdata.yml Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
sysmon_susp_control_dll_load.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_driver_load.yml Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
sysmon_susp_exec_folder.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_susp_execution_path_webserver.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_execution_path.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_image_load.yml user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
sysmon_susp_mmc_source.yml Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
sysmon_susp_net_execution.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_susp_ping_hex_ip.yml Rule: Ping hex IP address 2018-03-23 17:00:00 +01:00
sysmon_susp_powershell_parent_combo.yml Update sysmon_susp_powershell_parent_combo.yml 2018-10-09 19:11:17 -05:00
sysmon_susp_powershell_rundll32.yml Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
sysmon_susp_prog_location_network_connection.yml Rule: false positive reduction in rule 2018-12-17 10:02:55 +01:00
sysmon_susp_prog_location_process_starts.yml Rule: Suspicious Program Location Process Starts 2019-01-15 15:40:51 +01:00
sysmon_susp_recon_activity.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_reg_persist_explorer_run.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_susp_regsvr32_anomalies.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_susp_run_key_img_folder.yml Rule simplification 2018-09-28 10:58:50 +03:00
sysmon_susp_schtask_creation.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_susp_script_execution.yml Massive Title Cleanup 2018-01-27 10:57:30 +01:00
sysmon_susp_svchost.yml added att&ck tactic 2018-08-07 08:36:53 +02:00
sysmon_susp_taskmgr_localsystem.yml Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
sysmon_susp_taskmgr_parent.yml Several rule updates 2018-03-19 16:36:15 +01:00
sysmon_susp_tscon_localsystem.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_susp_tscon_rdp_redirect.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_susp_vssadmin_ntds_activity.yml Update att&ck tag 2018-08-07 08:27:24 +02:00
sysmon_susp_wmi_execution.yml Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
sysmon_sysinternals_eula_accepted.yml Rule: SysInternals EULA accept improved and renamed 2018-08-30 13:16:28 +02:00
sysmon_system_exe_anomaly.yml added att&ck tactic 2018-08-07 08:37:51 +02:00
sysmon_uac_bypass_eventvwr.yml style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
sysmon_uac_bypass_sdclt.yml Tag fixes 2018-08-07 08:18:16 +02:00
sysmon_vul_java_remote_debugging.yml fixed typo 2018-07-16 16:20:33 -05:00
sysmon_webshell_detection.yml added att&ck tag 2018-08-07 08:49:05 +02:00
sysmon_webshell_spawn.yml added att&ck tag 2018-08-07 08:50:01 +02:00
sysmon_win_binary_github_com.yml Rule: Improved Github communication rule 2018-08-30 10:12:12 +02:00
sysmon_win_binary_susp_com.yml Rule: Suspicious communication endpoints 2018-08-30 10:12:12 +02:00
sysmon_win_reg_persistence.yml changed .yaml files to .yml for consistency 2018-11-20 21:07:36 -08:00
sysmon_wmi_event_subscription.yml Rule: WMI Event Subscription 2019-01-12 12:03:36 +01:00
sysmon_wmi_persistence_commandline_event_consumer.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_wmi_persistence_script_event_consumer_write.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_workflow_compiler.yml Fixed rule 2018-08-23 08:20:28 +02:00